nubbin Posted September 9, 2009 ID:123739 Share Posted September 9, 2009 I apologize if this is not the proper place to post this - I am new to the forum. Please bare with me.I recently got Windows Police Pro, and cleaned it up successfully (I think). Malwarebytes repeatedly finds the following 3 registry items and cleans them successfully. Even if I restart immediately, the three infections return. Any idea how to fix this permanently?Thank you!Malwarebytes' Anti-Malware 1.40Database version: 2735Windows 5.1.2600 Service Pack 39/6/2009 3:53:37 PMmbam-log-2009-09-06 (15-53-37).txtScan type: Quick ScanObjects scanned: 101713Time elapsed: 12 minute(s), 36 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmwyybppkc (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted September 10, 2009 Staff ID:124206 Share Posted September 10, 2009 Hi,Please download and run WUS_Fix.exe: http://users.telenet.be/marcvn/tools/WUS_Fix.exeThis should restore the default registry settings related with BITS and Automatic updates.Then, First of all, please update MalwareBytes, because the databaseversion is outdated.Start MalwareBytes and click the Update tab. There click "Check for updates"Once the updates are downloaded, perform a quick scan again.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
nubbin Posted September 11, 2009 Author ID:124941 Share Posted September 11, 2009 I apologize for the lack of update - that log file was created a few days ago, and I thought I had updated.I did everything you suggested in the following order:1) Updated Malware Bytes2) Ran Malwarebytes3) Ran WUSFIX4) Created a log with Hijack this.Here is the MBAM log:Malwarebytes' Anti-Malware 1.41Database version: 2780Windows 5.1.2600 Service Pack 39/11/2009 12:47:32 PMmbam-log-2009-09-11 (12-47-32).txtScan type: Quick ScanObjects scanned: 103148Time elapsed: 8 minute(s), 57 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmwyybppkc (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Here is the Hijack This Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:37:27 PM, on 9/11/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\system32\IPSSVC.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\QCONSVC.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\TPHDEXLG.EXEC:\WINDOWS\system32\TpKmpSVC.exeC:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\TpShocks.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exeC:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exeC:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exeC:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXEC:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Digital Line Detect\DLG.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wikipedia.org/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {5E63E7C5-B1F8-4BAE-B1BE-4E0F735C2395} - (no file)O2 - BHO: (no name) - {b457292a-59dd-44ce-8010-7fd1e47c0b03} - (no file)O2 - BHO: {c0d0e117-9012-a4ab-8104-77763ac8e47c} - {c74e8ca3-6777-4018-ba4a-2109711e0d0c} - (no file)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exeO4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helperO4 - HKLM\..\Run: [TpShocks] TpShocks.exeO4 - HKLM\..\Run: [TP4EX] tp4ex.exeO4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeO4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exeO4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULERO4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exeO4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXEO4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitorO4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLogO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /SO4 - HKCU\..\Run: [KeyMapperStarup] "C:\Documents and Settings\Alok\Desktop\Keyboard Utilities\KeyRemapper.exe" /backgroundO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options group: [JAVA_IBM] Java (IBM)O20 - Winlogon Notify: mlJBRKDV - mlJBRKDV.dll (file missing)O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: IFA_Moore Service - Unknown owner - C:\Program Files\Common Files\Primal Pictures Shared\Service\IFA_Moore Service File.exeO23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXEO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXEO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXEO23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exeO23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe--End of file - 7884 bytesThank you for your help!PS. I apologize if I am doing something stupid. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted September 11, 2009 Staff ID:124943 Share Posted September 11, 2009 Hi,No, you didn't do anything stupid, but please reboot malwarebytes since it has not finished yet, because I see this entry in your HijackThislog:O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptThis means it needs a reboot to clean.Then, after reboot, rescan and post the new log from malwarebytes together with a new HijackThislog. Link to post Share on other sites More sharing options...
nubbin Posted September 11, 2009 Author ID:125066 Share Posted September 11, 2009 The scan came up clean.Thank you for your help! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted September 12, 2009 Staff ID:125270 Share Posted September 12, 2009 Hi,Can you post a new HijackThislog please? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted September 18, 2009 Staff ID:129012 Share Posted September 18, 2009 Due to the lack of feedback, this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts